|
Posted by Eric Gorr on 04/06/05 07:22
Richard Lynch wrote:
> On Mon, April 4, 2005 2:00 pm, Eric Gorr said:
>
>>I wanted to setup a good 'contact me' page on my website. I do not want
>>to reveal my e-mail address, so I was going to use a form.
>>
>>The PHP script with the actual mail() function would define the To and
>>Subject parameters, so these could not be faked.
>>
>>I also plan to use a captcha.
>
>
> A what?
http://en.wikipedia.org/wiki/Captcha
It is a common technique that I didn't know the official name of for a
long time either.
>>The only concern I had was how to process the body text. Any
>>recommendations?
>>
>>One useful function would appear to be strip_tags, so no one could embed
>>annoying or destructive HTML, etc. which I may accidentally cause my
>>e-mail application to render.
>
>
> It's possible, though extremely unlikely, that somebody could construct a
> malicious email that passes through strip_tags and/or htmlentities and
> still does something *bad* for your particular email application.
Can you give an example?
If this would involve taking advantage of some unknown bug in the
particular e-mail application I am using, well, I have considered it and
since I could be affected via the form or not, I choose to not worry
about it.
> Since you anticipate such a low volume, and seem concerned that you will
> lose valuable info from an HTML-enhanced email, perhaps you should log the
> original and provide a link to view it in the email you send to yourself.
I am actually not concerned about strip_tags removing useful text...it
should be quite obvious that such a thing happened and it would be
trivial for me to simply contact the person sending the mail to obtain
that useful text (and, of course, to yell at them for sending me HTML :-).
> So if you REALLY need that "enhanced" email, you can surf to it.
>
> Of course, then your web-server/browser might be attacked by their code
> you are viewing/executing (JavaScript).
>
> You may also want to consider using a "throttle" on the form based on
> $_SERVER['REMOTE_ADDR'] and if more than X emails are sent in Y hours from
> the same IP, refuse to send it and send them to an error page.
This is why I plan to use a captcha...when used properly, it can be
quite effective against such attacks.
Still, what you suggest is an enhancement I will likely implement as
well. Thanks for the suggestion.
--
== Eric Gorr ========= http://www.ericgorr.net ========= ICQ:9293199 ==
"Those who would sacrifice a little freedom for temporal safety
deserve neither to be safe or free." -- Benjamin Franklin
== Insults, like violence, are the last refuge of the incompetent... ===
Navigation:
[Reply to this message]
|